@inkeep/agents-core 0.46.0 → 0.46.1

package/dist/auth/auth.d.ts

@@ -98,6 +98,16 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
     maxPasswordLength: number;
     requireEmailVerification: false;
     autoSignIn: true;
+    resetPasswordTokenExpiresIn: number;
+    sendResetPassword: ({
+      user,
+      url,
+      token
+    }: {
+      user: better_auth0.User;
+      url: string;
+      token: string;
+    }) => Promise<void>;
   };
   account: {
     accountLinking: {
@@ -870,25 +880,25 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
       };
       creatorRole: "admin";
@@ -905,6 +915,17 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           user: better_auth0.User;
         };
       }): Promise<void>;
+      schema: {
+        invitation: {
+          additionalFields: {
+            authMethod: {
+              type: "string";
+              input: true;
+              required: false;
+            };
+          };
+        };
+      };
       organizationHooks: {
         afterAcceptInvitation: ({
           member,
@@ -1068,6 +1089,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
         inviterId: string;
         expiresAt: Date;
         createdAt: Date;
+        authMethod?: string | undefined;
       };
       Member: {
         id: string;
@@ -1107,6 +1129,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           inviterId: string;
           expiresAt: Date;
           createdAt: Date;
+          authMethod?: string | undefined;
         }[];
       } & {
         id: string;
@@ -1180,25 +1203,25 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1215,6 +1238,17 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           user: better_auth0.User;
         };
       }): Promise<void>;
+      schema: {
+        invitation: {
+          additionalFields: {
+            authMethod: {
+              type: "string";
+              input: true;
+              required: false;
+            };
+          };
+        };
+      };
       organizationHooks: {
         afterAcceptInvitation: ({
           member,

package/dist/auth/auth.js

@@ -1,6 +1,7 @@
 import { member, ssoProvider } from "./auth-schema.js";
 import { OrgRoles } from "./authz/config.js";
 import { env } from "../env.js";
+import { setPasswordResetLink } from "./password-reset-link-store.js";
 import { generateId } from "../utils/conversations.js";
 import "../utils/index.js";
 import { ac, adminRole, memberRole, ownerRole } from "./permissions.js";
@@ -81,7 +82,15 @@ function createAuth(config) {
 			minPasswordLength: 8,
 			maxPasswordLength: 128,
 			requireEmailVerification: false,
-			autoSignIn: true
+			autoSignIn: true,
+			resetPasswordTokenExpiresIn: 1800,
+			sendResetPassword: async ({ user, url, token }) => {
+				setPasswordResetLink({
+					email: user.email,
+					url,
+					token
+				});
+			}
 		},
 		account: { accountLinking: {
 			enabled: true,
@@ -155,6 +164,11 @@ function createAuth(config) {
 						invitationId: data.id
 					});
 				},
+				schema: { invitation: { additionalFields: { authMethod: {
+					type: "string",
+					input: true,
+					required: false
+				} } } },
 				organizationHooks: {
 					afterAcceptInvitation: async ({ member: member$1, user, organization: org }) => {
 						try {

package/dist/auth/authz/config.d.ts

@@ -1,4 +1,8 @@
 //#region src/auth/authz/config.d.ts
+/**
+ * Check if a SpiceDB endpoint is localhost (used for TLS auto-detection).
+ */
+declare function isLocalhostEndpoint(endpoint: string): boolean;
 /**
  * Get SpiceDB connection configuration from environment variables.
  * TLS is auto-detected: disabled for localhost, enabled for remote endpoints.
@@ -94,4 +98,4 @@ interface ProjectPermissions {
   canEdit: boolean;
 }
 //#endregion
-export { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig };
+export { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isLocalhostEndpoint };

package/dist/auth/authz/config.js

@@ -1,15 +1,20 @@
 //#region src/auth/authz/config.ts
 /**
+* Check if a SpiceDB endpoint is localhost (used for TLS auto-detection).
+*/
+function isLocalhostEndpoint(endpoint) {
+	return endpoint.startsWith("localhost") || endpoint.startsWith("127.0.0.1");
+}
+/**
 * Get SpiceDB connection configuration from environment variables.
 * TLS is auto-detected: disabled for localhost, enabled for remote endpoints.
 */
 function getSpiceDbConfig() {
 	const endpoint = process.env.SPICEDB_ENDPOINT || "localhost:50051";
-	const isLocalhost = endpoint.startsWith("localhost") || endpoint.startsWith("127.0.0.1");
 	return {
 		endpoint,
 		token: process.env.SPICEDB_PRESHARED_KEY || "",
-		tlsEnabled: !isLocalhost
+		tlsEnabled: !isLocalhostEndpoint(endpoint)
 	};
 }
 /**
@@ -82,4 +87,4 @@ const ProjectRoles = {
 };
 
 //#endregion
-export { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig };
+export { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isLocalhostEndpoint };

package/dist/auth/init.js

@@ -6,6 +6,7 @@ import { createAgentsRunDatabaseClient } from "../db/runtime/runtime-client.js";
 import { addUserToOrganization, upsertOrganization } from "../data-access/runtime/organizations.js";
 import { getUserByEmail } from "../data-access/runtime/users.js";
 import { createAuth } from "./auth.js";
+import { writeSpiceDbSchema } from "./spicedb-schema.js";
 
 //#region src/auth/init.ts
 /**
@@ -31,6 +32,15 @@ loadEnvironmentFiles();
 const TENANT_ID = process.env.TENANT_ID || "default";
 async function init() {
 	console.log("🚀 Initializing database with default organization and user...\n");
+	console.log("📜 Writing SpiceDB schema...");
+	try {
+		await writeSpiceDbSchema();
+		console.log("   ✅ SpiceDB schema applied");
+	} catch (error) {
+		console.error("   ❌ Failed to write SpiceDB schema:", error);
+		console.error("   Make sure SpiceDB is running (docker-compose.dbs.yml)");
+		process.exit(1);
+	}
 	const dbClient = createAgentsRunDatabaseClient();
 	const username = process.env.INKEEP_AGENTS_MANAGE_UI_USERNAME;
 	const password = process.env.INKEEP_AGENTS_MANAGE_UI_PASSWORD;
@@ -95,14 +105,14 @@ async function init() {
 			action: "add"
 		});
 		console.log("   ✅ Synced to SpiceDB");
-	} catch {
-		console.log("   ℹ️  SpiceDB sync failed");
+	} catch (error) {
+		console.error("❌ SpiceDB sync failed:", error);
 	}
 	console.log("\n================================================");
 	console.log("✅ Initialization complete!");
 	console.log("================================================");
 	console.log(`\nOrganization: ${TENANT_ID}`);
-	console.log(`Admin user:   ${username} (owner)`);
+	console.log(`Admin user:   ${username}`);
 	console.log("\nYou can now log in with these credentials.\n");
 	process.exit(0);
 }

package/dist/auth/password-reset-link-store.d.ts

@@ -0,0 +1,26 @@
+//#region src/auth/password-reset-link-store.d.ts
+type PasswordResetLinkEntry = {
+  email: string;
+  url: string;
+  token: string;
+};
+/**
+ * Sets up a listener that resolves when `setPasswordResetLink` fires for this email.
+ * Call BEFORE `auth.api.requestPasswordReset()`.
+ *
+ * This creates a per-request promise bridge: the `sendResetPassword` callback
+ * (configured in auth.ts) calls `setPasswordResetLink`, which resolves this promise
+ * within the same HTTP request on the same server instance.
+ */
+declare function waitForPasswordResetLink(email: string, timeoutMs?: number): Promise<PasswordResetLinkEntry>;
+/**
+ * Called from the `sendResetPassword` callback in auth config.
+ * Resolves the pending promise for this email (if any).
+ */
+declare function setPasswordResetLink(entry: {
+  email: string;
+  url: string;
+  token: string;
+}): void;
+//#endregion
+export { setPasswordResetLink, waitForPasswordResetLink };

package/dist/auth/password-reset-link-store.js

@@ -0,0 +1,40 @@
+//#region src/auth/password-reset-link-store.ts
+const pendingResolvers = /* @__PURE__ */ new Map();
+/**
+* Sets up a listener that resolves when `setPasswordResetLink` fires for this email.
+* Call BEFORE `auth.api.requestPasswordReset()`.
+*
+* This creates a per-request promise bridge: the `sendResetPassword` callback
+* (configured in auth.ts) calls `setPasswordResetLink`, which resolves this promise
+* within the same HTTP request on the same server instance.
+*/
+function waitForPasswordResetLink(email, timeoutMs = 1e4) {
+	const key = email.toLowerCase();
+	return new Promise((resolve, reject) => {
+		const timeout = setTimeout(() => {
+			pendingResolvers.delete(key);
+			reject(/* @__PURE__ */ new Error("Timed out waiting for password reset link"));
+		}, timeoutMs);
+		pendingResolvers.set(key, (entry) => {
+			clearTimeout(timeout);
+			pendingResolvers.delete(key);
+			resolve(entry);
+		});
+	});
+}
+/**
+* Called from the `sendResetPassword` callback in auth config.
+* Resolves the pending promise for this email (if any).
+*/
+function setPasswordResetLink(entry) {
+	const key = entry.email.toLowerCase();
+	const resolver = pendingResolvers.get(key);
+	if (resolver) resolver({
+		email: entry.email,
+		url: entry.url,
+		token: entry.token
+	});
+}
+
+//#endregion
+export { setPasswordResetLink, waitForPasswordResetLink };

package/dist/auth/permissions.d.ts

@@ -5,25 +5,25 @@ import { organizationClient } from "better-auth/client/plugins";
 //#region src/auth/permissions.d.ts
 declare const ac: AccessControl;
 declare const memberRole: {
-  authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key] | {
-    actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key];
+  authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+    actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
     connector: "OR" | "AND";
   } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-  statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>;
+  statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
 };
 declare const adminRole: {
-  authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key] | {
-    actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key];
+  authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+    actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
     connector: "OR" | "AND";
   } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-  statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>;
+  statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
 };
 declare const ownerRole: {
-  authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key] | {
-    actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key];
+  authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+    actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
     connector: "OR" | "AND";
   } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-  statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>;
+  statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
 };
 //#endregion
 export { ac, adminRole, memberRole, organizationClient, ownerRole };

package/dist/auth/spicedb-schema.d.ts

@@ -0,0 +1,9 @@
+//#region src/auth/spicedb-schema.d.ts
+declare function writeSpiceDbSchema(options?: {
+  endpoint?: string;
+  token?: string;
+  schemaPath?: string;
+  maxRetries?: number;
+}): Promise<void>;
+//#endregion
+export { writeSpiceDbSchema };

package/dist/auth/spicedb-schema.js

@@ -0,0 +1,24 @@
+import { getSpiceDbConfig, isLocalhostEndpoint } from "./authz/config.js";
+import { readFileSync } from "node:fs";
+import { resolve } from "node:path";
+import { v1 } from "@authzed/authzed-node";
+
+//#region src/auth/spicedb-schema.ts
+async function writeSpiceDbSchema(options) {
+	const config = getSpiceDbConfig();
+	const { endpoint = config.endpoint, token = config.token, schemaPath = resolve(import.meta.dirname, "../../spicedb/schema.zed"), maxRetries = 30 } = options ?? {};
+	const schema = readFileSync(schemaPath, "utf-8");
+	const client = v1.NewClient(token, endpoint, isLocalhostEndpoint(endpoint) ? v1.ClientSecurity.INSECURE_LOCALHOST_ALLOWED : v1.ClientSecurity.SECURE);
+	let lastError;
+	for (let attempt = 1; attempt <= maxRetries; attempt++) try {
+		await client.promises.writeSchema(v1.WriteSchemaRequest.create({ schema }));
+		return;
+	} catch (error) {
+		lastError = error;
+		if (attempt < maxRetries) await new Promise((r) => setTimeout(r, 1e3));
+	}
+	throw new Error(`Failed to write SpiceDB schema after ${maxRetries} attempts: ${lastError?.message}`);
+}
+
+//#endregion
+export { writeSpiceDbSchema };